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An Uninvited Gues 



(Who Won't Go Home) 

Black Hat DC 2010 
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A woman has been arrested in Japan for sneaking into a man's 
house and living in his wardrobe without him knowing. 

Police found 58-year-old Tatsuko Horikawa living in a small storage 
space in the house in the southern city of Fukuoka. 

The house belonged to a 57-year-old man, who had become 
suspicious after food disappeared from his fridge. 

So he installed a surveillance system, which filmed the woman as she 
walked around in his absence. 

On Wednesday afternoon police searched the house and found the 
woman in her cubby hole. 



Police spokesman Hiroki Itakura Called the intruder 

"neat and clean" 
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Applying the Metaphor 



With respect to anti-forensics, 
one way to be "neat and clean:" 
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Applying the Metaphor 




If Properly engineered... 

Not much outside of the page file 

Can be captured post mortem 



jjAutornaticallv manage paging file size for all drives: 

■^^^Tb ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ^1 ■ ■ ■ ■ ■ ^1 

Paging file size for each drive 

Drive [Volume Label] Paging File Size (MB) 





■ 
■ 




System managed 


D: 


[DATA] 


None 



Selected drive: 
Space available: 

(_) Custom size: 
Initial size (MB): 



C: [SYSTEM] 
16534 MB 



Maximum size (MB): 

System managed size 
■ _ ■ N o paging file 

Total paging file size for all drives 

Minimum allowed: 16 MB 
Recommended: 1534 MB 

Currentiy allocated : 1323 MB 
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There are two challenges 
These issues will define our 
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that this approach entails 
)rimary design requirements 
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Evading Memory Analysis 



;d> 'process 85113d90 2 

ROCESS 85113d90 Sessionld: 1 Cid: 0704 Peb: 7ffdf000 ParentCid 
DirBase: 13ffd000 ObjectTable: 95G3G3b0 HandleCount: 271. 
I mage : explorer . exe 



0544 



THREAD 84fa77f0 Cid 0704.0344 Teb: 7ffde000 Uin32Tbread: Fcc5c348 WAIT 
83733198 SyncbronizationEuent 



THREAD 8361b7d8 Cid 0704. 0F84 Teb 
83392dl8 SyncbronizationEuent 
8476ef50 SyncbronizationEuent 

THREAD 85040030 Cid 0704. 06 f 4 Teb 
85147798 SyncbronizationEuent 
83790918 SyncbronizationEuent 

THREAD 836e9b38 Cid 0704. 0a68 Teb 
84ee36e8 Not if icat ionEuent 
83GlGa38 SyncbronizationEuent 

THREAD 835cac88 Cid 0704. 0dc4 Teb 
84fc58b0 QueueObJect 



7ffd9000 Uin32Tbread: ffa98490 WAIT 



7ffd8000 Uin32Tbread: fe052858 WAIT 



7ffd3000 Uin32Tbread: fcd40e90 WAIT: 



7ffdc000 Win32T bread: 00000000 WAIT: 



;d> 
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r Shutdown Event Tracker 



Select the option that best describes why you want to 
shut down the computer 



Option: 



planned! 



| Other [Planned) 

A shutdown or restart for an unknown reason 



3 



Comment: 

Call the security officer, I've been rooted 



OK 



] 



Cancel 



Help 




ill 



111 



Hide in a Crowd 



Basic Idea: 

■This is the classic malware tactic 
■Create a new process/thread 
■Inject a module into an existing one 
■Try to blend in with existing objects 
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Image 



Performance 



Performance Graph 



Services 




Services registered in this proce* 



Service 
Event System 



Display Name Path 
COM- Event System C : \Windows '••system 32--.es .dll 



LanmanWorkstation Workstation Z 
netprofm Network List Service C 

nsi Network Store Inte... C 



'"■-.Windows "'--.System 32\wkssvc .dll 
'■-.Windows \Sy stem 32'--netprofm .dll 
'■■.Windows '■■system 32'-nsisvc .dll 



SSDPSRV 



W32Time 
WebClient 



SSDP Discover/ C:\Windo ws\System32\ssdpsrv.dl 



Windows Time C:\Windows '-sy^ 

W'ebClient C : '-.Windows '-.System 32\webclnt .dll 



Discovers networked devices and services that use the SSDP discovery 
protocol, such as UPnP devices. .%o announces SSDP devices and services 
running on the local computer. If this sen/ice is stopped, SSDP-based devices 
will not be discovered. If this sen/ice is disabled, any services that explicitly 
depend on it will fail to start. 



Permissions 



Pause 



Resume 
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Hide in a Crowd 



Downsides: 

■This tactic will not survive careful scrutiny 

■Standard live response forensics will unearth this sort of rogue binary 



T C PVi ew - Sy : i nt em a I : : www, sy s i n ter n a I : . c c m 









-£3- 



Hie Options Piece;;!; j/iew Help 



y a 



Process / 

S3 AsiServer.e>:e:1 768 
13 AsiServer. ewe: 1768 
13 AsiServer. ewe: 1768 
13 lsass.exe: 568 
13 Isass .eKe:568 

log 

ID qttask.exe: 3344 
services, ene: 548 
services, ewe: 548 
13 svchost.exe: 1000 
13 svchost.exe: 1000 
E3 svehost. ewe: 1000 
13 svehost. ewe: 1000 



Protocol 

TCP 

TCFV6 

TCFV6 

TCP 

TCFV6 



TCP 



TCP 

TCP 

TCFV6 

TCP 

UDP 

UDP 

TCFV6 



Local Address 

innersanctunn:1 954 
innersanctunn:1 030 
innersanctunn:1 854 
innersanctunn:1 028 
innersanctunn:1 028 



innersanctunn: 



innersanctunn:14147 
innersanctunn: 1 028 
innersanctunn: 1 028 
innersanctunn: 1 027 
innersanctunn: isak... 
innersanctunn: ipse... 
innersanctunn: 1 027 



Remote Address State 



innersanctunn:0 
innersanctunn:0 
innersanctunn:0 
innersanctunn:0 
innersanctunn:0 



innersanctunn:0 
innersanctunn:0 
innersanctunn:0 
innersanctunn:0 



innersanctunn:0 



LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 



LISTENING 



LISTENING 
LISTENING 
LISTENING 
LISTENING 



LISTENING 




Huh? 
QuickTime 
doesn't run an 
FTP service? 





End points: 33 Established: Listening: 20 



Time Wait: 



Close Wait: 
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Active Concealment 



Basic Idea: 



■Install a module (e.g. a service, driver, injected library, etc.) 

■Modify the system so that the module's presence isn't readily detectable 



Strategy 


Tactics 


Objects Affected 


Modify Static Elements 


Hooking 


IAT, SSDT, GDT, IDT, MSRs 




In-Place Patching 


System Calls, Driver routines 




Detour Patching 


System Calls, Driver routines 


Modify Dynamic Elements 


Alter Repositories 


Registry Hives, Event Logs 


m m 


DKOM 


EPROCESS, DRIVER SECTION 




Patch Callback Tables 


Module .data, .bss sections 
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Active Concealment 



■You're still creating bookkeeping data entries in OS data structures 
■This is unavoidable (if you're using native facilities to load the module) 
■You may be able to hide from some tools, but not all of them simultaneously 
■This is the basis for cross-view detection, which has proven effective 



How RootkitRevealer Works 

Since persistent rootkits work by changing API results so that a system view using 
APIs dif fers from the act ual view in sto rage. RootkitRevealer compares the results of a 

system scan at the highest level with that at the lowest level. The highest level is the 

i 

Windows API and the lowest level is the raw contents of a file system volume or 
Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, 
whether user mode or kernel mode, that manipulate the Windows API or native API to 
remove their presence from a directory listing, for example, will be seen by 
RootkitRevealer as a discrepancy between the information returned by the Windows 
API and that seen in the raw scan of a FAT or NTFS volume's file system structures. 



. - - - , jM > © 2010 Below Gotham Labs www.belowgotham.com 

DI30K not UC 2DX> 



-K ilo&ei? i) 



Active Concealment 



■Sidestep the system -I eve I APIs (which can be subverted by an intruder) 
■Instead, forensic tools parse system data structures directly 



Memdryze 



MANDIANT Memoryze can: 



focess : loacec DLLs. EXEs 



■ image the full range of system memoitfnot reliant 

■ image a process' entire address space 
heaps, and stacks. 

■ image a specified driver or all drivers loaded in memory to disk. 

■ enumerate all running processes (including those hidden by rootkits). For each process. 
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Jump out of Bounds 



Basic Idea: 

■Eschew direct modification of the targeted operating system 

■Migrate code outside of the OS proper and operate from this vantage point 



Hiding Spot 


Example 


Host/Root Mode 


Blue Pill Project 

http://bluepillproject.org/ 


SMM Mode 


Embleton & Sparks Implementation 

http://www.blackhatxom/presentations/bh-usa-08/Embleton_Sparks/BH_US_08_Embleton 


AMT Environment 


Ring -3 Rootkits 

http://www.blackhatxom/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Rin 



black hat do 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



-K B ^PilogJPd 

I 



Jump out of Bounds 



This Trend Highlights a Recurring Theme: 

■Vendors try to counter malware by creating fortified regions of execution 
■This seems like a great idea, until malware finds it way into these regions 



Proactive alerting 



Isolate. Proactively blocking incoming 
threats, Intel AMT System Defense 
contains infected clients before they 
impact the network while alerting D" 
when critical software agents are 
removed. 



http://www.intel.com/technology/platform-technology/intel-amt 
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Jump out of Bounds 



Downsides 



These techniques tend to be hardware dependent 

You may not have any information on the target platform 

In some cases, all you'll have to start with is a bunch of open ports 



C:\>nmap -sS 12.120.184.8 

Starting Nmap 5.00 at 2009-10-26 13:35 Pacific Daylight Time 

NSE: Loaded scripts for scanning. 
Initiating ARP Ping Scan at 13:35 
Scanning 12.120.184.8 [1 port] 

Completed ARP Ping Scan at 13:35, 0.18s elapsed (1 total hosts) 

Initiating Parallel DNS resolution of 1 host, at 13:35 

Completed Parallel DNS resolution of 1 host, at 13:35, 0.02s elapsed 

Initiating SYN Stealth Scan at 13:35 

Scanning 12.120.184.8 [1000 ports] 

Discovered open port 80/tcp on 12.120.184.8 

Discovered open port 8099/tcp on 12.120.184.8 

Completed SYN Stealth Scan at 13:35, 0.26s elapsed (1000 total ports) 
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Engineering Concessions 



Need to resolve conflicting directives 

On one hand, we wish to: 

■Minimize the footprint we leave in system's data structures 
■Establish a presence without creating a new process/thread 
■Implement rootkit functionality without creating bookkeeping artifacts 
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Engineering Concessions 



Need to resolve conflicting directives 

On one hand, we wish to: 

■Minimize the footprint we leave in system's data structures 
■Establish a presence without creating a new process/thread 
■Implement rootkit functionality without creating bookkeeping artifacts 

At the same time, we'd like to: 

■Remain as hardware agnostic as possible 

■Use technology that's relatively transferable across the Intel platform 
■Avoid writing custom driver code for a specific Intel/OEM chipset 
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Engineering Concessions 




Professor G.H. Dorr: 

"You, sir, are a Buddhist. Is there not a 'middle' way?" 




The General: 

"Mm. Must float like a leaf on the river of life 
and kill old lady." 



From The Ladykillers, Touchstone Pictures (2004) 
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One Potential 



black hat dc 2010 



© 2010 Below Gotham Labs 



liddle Path... 



www.belowgotham.com 



Shellcode 
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You Heard Me... Shellcode 
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The Benefits of Shellcode 



x86 Shellcode offers a degree of autonomy 

■It doesn't require address fix-ups to execute 
■Therefore, it doesn't use the Windows loader 
■Bookkeeping entries aren't generated in the kerne 



f ind_kernel32: 

push esi 

xor eax, eax 

mov eax., f s: [eax+0x30] 

test eax., eax 

js f ind_kernel32_9x 
f ind_kernel32_nt : 

mov eax y [eax + 0x0c] 

mov esi , [eax + 0xlc] 

lodsd 

mov eax y [eax + 0x8] 

jmp f ind_kernel32_f inished 

f ind_kernel32_9x : 

mov eaxy [eax + 0x34] 
lea eax y [eax + 0x7c] 
mov eax y [eax + 0x3c] 

find_kernel32_f inished : 
pop esi 
ret 
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The Benefits of Shellcode 



x86 Shellcode offers a degree of autonomy 

■It doesn't require address fix-ups to execute 
■Therefore, it doesn't use the Windows loader 
■Bookkeeping entries aren't generated in the kerne 



x86 Shellcode also offers a modicum of portability 

■It's generally transferable across Intel motherboards 



f ind_kernel32: 

push esi 

xor eax, eax 

mov eax., f s: [eax+0x30] 

test eax., eax 

js f ind_kernel32_9x 
f ind_kernel32_nt : 

mov eax y [eax + 0x0c] 

mov esi , [eax + 0xlc] 

lodsd 

mov eax y [eax + 0x8] 

jmp f ind_kernel32_f inished 

f ind_kernel32_9x : 

mov eaxy [eax + 0x34] 
lea eax y [eax + 0x7c] 
mov eax y [eax + 0x3c] 

find_kernel32_f inished : 
pop esi 
ret 
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The Benefits of Shellcode 



x86 Shellcode offers a degree of autonomy 

■It doesn't require address fix-ups to execute 
■Therefore, it doesn't use the Windows loader 
■Bookkeeping entries aren't generated in the kerne 



x86 Shellcode also offers a modicum of portability 

■It's generally transferable across Intel motherboards 



Thus, we've reached a middle ground r 

■We want to rely as little as possible on native facilities 
■Any facilities that we invoke can be used to detect us 
■But we also want to avoid excessive hardware dependence 



f ind_kernel32: 

push esi 

xor eax, eax 

mov eax., f s: [eax+0x30] 

test eax., eax 

js f ind_kernel32_9x 
f ind_kernel32_nt : 

mov eax y [eax + 0x0c] 

mov esi , [eax + 0xlc] 

lodsd 

mov eax y [eax + 0x8] 
jmp f ind_kernel32_f inished 
f ind_kernel32_9x : 

mov eaxy [eax + 0x34] 
lea eax y [eax + 0x7c] 
mov eax y [eax + 0x3c] 
f ind_kernel32_f inished : 
pop esi 
ret 
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The Drawbacks of Shellcode 



Raw assembly shellcode is tediOUS to write 
Logic can get lost in all those statements 

As a result, it can be prone to Subtle bugs 

And also be generally difficult to maintain 
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Is there a way to sidestep all these issues? 
Couldn't we just write shellcode in C? 
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Windows Shellcode 



BlackHat Europe 2009 



Benjamin CAILLAT 
ESIEA - SI&S lab 



caillat [at ] esiea [dot] f r 



bcaillat [at ] security- labs [dot] org 



IWSTEHE SEMITE 



esiea 



amin CAILLAT (ESI LA - SI&S lab) 




4 n ► 4 g ► 4 IsF - * ' 



Windows Shellcode Mastery 



3 >OQ.O 
1/17 



Types of Shellcode 



Environment 


Popular Example 


Comments 


User-Mode 


Metasploit Shellcode Archive 

http://www.metasploit.com/shellcode/ 


Easier to implement 
Easier to detect, capture 


Kernel-Mode 


Deepdoor 

http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Rutkowska.pdf 


More powerful (Ring-O) 
More complicated 



In the interest of stealth, I decided to employ kernel-mode shellcode 
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Why is persistence even an issue? 
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But this isn't a 
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s the case 
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Mission critical deployments managed I 
■The Chicago Stock Exchange 
■E*TRADE 

Have been known to: 

■Reboot their servers daily 
■Implement rolling shutdowns peri 

http://staging.glg.com/tourwindowsntserver/CHX/technical.htm 
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One way to arrive at a potential solution 
Is to examine the idea of "self-healing" software 
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A good example of a commercial implementation: 

Absolute Software's Computrace product 
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Computrace is a loss prevention product 
The client piece consists of two components 




Computrace is a loss prevention product 
The client piece consists of two components 



Application agent (rpcnet.exe) 

■Runs as a nondescript service 
■Phones home over an encrypted channe 
■Manages "helper" applications 
■Collects "inventory" data 



Persistence Module 

■A secondary, independent, subsystem 
■Embedded in disk partition gap (or firmware) 
■Monitors for presence of Application Agent 
■Re-installs agent if detects that it's missing 
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The application agent hides in a crowd 
It attempts to blend in with all of the other RPC services 



Registry Editor 
File Edit View Favorites Help 



rrr 



p>*JM Rpcneti 
t> ■■ J.. RpcSs 
b ■■ | . rspndr 
I, SarnSs 

, . sbp2port 

SCardSvr 
>-Ji Schedule 
^ SCPolicySvc 
5DRSVC 



□ 



Name 

.^[Default] 
^Display Name 
h" ErrorControl 
*!*)lmagePath 
.^jObjectName 
4|h^| St a rt 
JJ^Type 



REG_SZ 

REG_SZ 

REG_DWORD 

REG_EXPAND_SZ 

REG_SZ 

REG_DWORD 

REG DWORD 



[value not set] 

Remote Procedure Call (RPC] Net 

Otfoooooooi a] 

C:\Wi n d ows\system32\ rpcn et. exe 
LocalSystem 
0*00000002 (2) 
0*00000010 (16) 
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It doesn't take much to abstract these ideas 
And then recast the two components as a rootkit 



black hat dc 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



Application agent (rpcnet . exe) 



■Runs as a nondescript service 
■Phones home via encrypted channe 
■Manages helper applications / 
■Collects inventory data 



Persistence Module 

■An independent subsystem 
■Stashed on disk, or in firmware 
■Monitors for presence of Agent 
■Re-installs agent if missing 



Original (White Hat) Package 



ROOtkit (kmd.svs) 

■Provides concealment services 



Implements Command & Control 
Performs Surveillance 



Black Hat Incarnation 



Secondary Rootkit 

■An independent subsystem 
■Provides concealment services 
■Monitors for presence of Rootkit 
■Re-installs Rootkit if missing 
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Implementing the Backup Rootkit 



■There are a number of ways that we could implement the secondary rootkit 
■Each approach has its own set of tradeoffs 



Possible Implementation 


Comments 


Backup Service/Driver 


Robust, but conspicuous during a post-mortem 


Bootkit (e.g. Stoned Again) 


Less conspicuous, but still vulnerable to forensics 


Firmware-Based Module 


Very stealthy, but also fairly hardware dependent 
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More Engineering Concessions 

Again, conflicting directives 

On one hand, we wish to: 
■Survive a system restart 
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More Engineering Concessions 



Again, conflicting directives 

On one hand, we wish to: 

■Survive a system restart 

At the same time, we'd like to: 

■Minimize the amount of forensic evidence on the target system 
■Keep our runtime footprint as small as possible 
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In other words... 

We want a stealthy, fault-tolerant, and logistically tenable solution 
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One Solution 



Install the persistence module on another machine 
Where it can monitor the target for a heartbeat signal 




An Aside on Deployment 



The Desktop Machines of High-Ranking Officials are Soft Targets 



Their status often provides them with admin rights 
But they're not the most technically savvy people 
And they also install all sorts of 3 rd party software 
So their machines are typically "noisy" to begin with 
In the mind of the admin, availability trumps security 
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Kernel-Mode Shellcode in C 
■Creating 
■Extracting 
■Deploying 
■Executing 




black hat do 2010 



© 2010 Below Gotham Labs 




Creating Kernel-Mode Shellcode 



Shellcode is merged into a single segment 
Using Visual Studio preprocessor directives 



.code 



#pragma 
#pragma 
#pragma 
#pragma 
#pragma 



section (" . code", execute, read , write) 
comment (linker, "/MERGE : .text=.code") 
comment (linker, "/MERGE : .data=.code") 
comment(linker, "/SECTION: .code, ERW") 
code_seg( " . code" ) 



rdata 



This section encapsulates both code and data 



PAGE 



INIT 



.reloc 



black hat dc 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



Creating Kernel-Mode Shellcode 



Don't use conventional address resolution tables 
■.idata 
■.reloc 



.code 



The shellcode has its own internal symbol table 
This table is used to store the addresses of 



Imported Routines 

Local Routines (referenced in callbacks) 



The internal symbol table is just a C structure 

typedef struct GD_ 
{ 

// "GD" as in Global Data 

}GD; 



rdata 



PAGE 



INIT 



.reloc 
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Creating Kernel-Mode Shellcode 



The composition of GD is imposed upon storage that's reserved for a routine 

GD* gd = (GD*)GlobalDataRoutine(); 



The storage routine also returns the address of its data at runtime 

unsigned int GlobalDataRoutineQ 
{ 

unsigned int globalDataAddress; 



asm 



call endOfData 

//allocate shellcode data storage here 

endOfData: 

pop eax 

mov globalDataAddress , eax 



return (globalDataAddress ) ; 
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Creating Kernel-Mode Shellcode 



An entry in this internal symbol table is referenced at runtime as follows: 

address of entry = (Table's address) + (Offset into table) 

; Call a routine whose address is stored in the symbol table 

mov eax, GobalDataRoutine 

call DWORD PTR [eax+24] 

Notice how the table entry offset is predetermined at compile time 

End Result: 

A series of addresses is replaced by a single address and a bunch of offsets 
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Creating Kernel-Mode Shellcode 



The internal symbol table is populated when the shellcode is loaded 

In other words, the shell code takes over work traditionally done by the loader 
■Most of the real work involves resolving external routines 
■MSR Scandown is used to locate routines exported by ntoskrnl.exe 

http://www. uninformed. org/?v=3&a=4&t=sumry 

■AuxKlibQueryModulelnformationQ is also invoked when necessary 

Note: using routines in aux_klib.lib will require makefile adjustments 
This library is not mentioned in the WDK's default makefile . new 

GETLIB=$(DDK_LIB_PATH)\ntoskrnl . lib $(DDK_LIB_PATH) \hal . lib $(DDK_LIB_PATH)\wmilib. lib 
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Creating Kernel-Mode Shellcode 



The SOURCES file deviates slightly from the KMD standard 



TARGETNAME=HeartBeat 

TARGETPATH=. 

TARGETTYPE=DRIVER 

SOURCES=HeartBeat.c 

INCLUDES=. 

MSC WARNING LEVEL= /IaI3 

USER_C_FLAGS=/Od /Oy /GS- 
TARGETLIBS=$(DUK_Llb_HAI H 



Really important settings 



IS /GR- /FAc /TC 



netio. li 



Also, to prevent the linker from treating warnings as errors 
Change the following line in the WDK's default makefile . new: 



LINKER_WX_SWITCH=/WX 

To 

LINKER WX SWITCH=/WX:NO 
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Creating Kernel-Mode Shellcode 



The USER_C_FLAGS build macro is crafted such that: 

■Machine code for a routine is emitted when the compiler encounters it 
■Thus, the first routine in the source will be located at the lowest address 



SourceFile.c .code section 




Creating Kernel-Mode Shellcode 




To see this in action... 

Check out the shcode . h file, then compare it to HeartBeat . C 


unsigned char ShCodeArray [ ]= 
{ 

// doDNSQueriesQ 

/* 00000000 */ 0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 




0x10, . . . 


// getHashA() 

/* 00000270 */ 0xCC, 0xCC, 0xCC, 0xCC, 0x8B, 0xFF, 0x55, 


0x8B, . . . 


// walkExportList() 

/* 000002B0 */ 0xCC, 0xCC, 0xCC, 0xCC, 0x8B, 0xFF, 0x55, 


0x8B, . . . 


//... 
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Extracting Kernel-Mode Shellcode 



The shellcode's position in the driver can be found via dumpbin • exe 



C:\xiumpbin.exe /headers kmd.sys 



SECTION 



HEADER #1 
.code name 
3A4 virtual size 

1000 virtual address (00011000 to 000113A3) 

400 C17P r\-E dutB 

400 file pointer to raw data (00000400 to 000007FF) 
file pointer to relocation table \ 
file pointer to line numbers \ 
number of relocations \ 
number of line numbers N 

Location of shellcode in 



.SYS 



black hat do 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



-K B ^PilogJPd 

I 



Extracting Kernel-Mode Shellcode 

Once you've isolated the shellcode, you can extract it out with a hex editor 



/f Cygnus FREE EDITION - [HeartBeat.sys; 
File Edit View Window Help 







El 








fi 1 


X 



D & U 



000003E0 
000003F0 
00000400 
00000410 
00000420 
00000430 
00000440 
00000450 
00000460 
00000470 
00000480 



#4 ft 



O l = 



00 00 
nn nn 



00 00 
nn nn 



00 00 
nn nn 



1 □ 00 00 00 

04 00 

8B 45 

BE 07 

FF 75 

75 05 

E8 55 

F4 05 

83 7D 



F4 8B 
00 00 
0C FF 
E9 1A 
0B 00 
64 02 
F8 00 



00 00 
4b M 

4D 10 
OF B6 
75 F4 
02 00 
00 8B 
00 00 
7D 05 



00 00-00 

,00 00-00 

SB FF-55 

'83 7D-08 

89 88-CC 

CO 85-CO 

E8 4B-09 

00 8B-45 

45 F4-05 

50 8B-45 

E9 E6-01 



00 00 00 00 00 00 00 

00 00 00 00 00 00 00 

SB EC 83 EC 10 E8 El 

00 OF 85 18 01 00 00 

02 00 00 FF 75 F4 E8 

75 05 E9 31 02 00 00 

00 00 OF B6 CO 85 CO 

F4 05 5C 02 00 00 50 

6C 02 00 00 50 8B 45 

F4 FF 50 08 89 45 F8 

00 00 8B 45 F4 05 80 



U 



> 



u 



u 



Ready. Press Fl for Help. 



0/2400 



You can ignore the leading zero bytes (the code is position independent) 
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Deploying Kernel-Mode Shellcode 



initially, I stayed within the confines of a Kernel-Mode Driver (KMD) 
defined a placeholder routine, consisting of junk instructions 



void placeholder^ ) 
{ 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm emit 0x90 



asm _emit 0x90 

return; 
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Deploying Kernel-Mode Shellcode 



At runtime the KMD would overwrite this dead space with shellcode 



void placeholder^ ) 
{ 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm emit 0x90 




0x8B 
0xFF 
0x55 
0x8B 
0xEC 



asm _emit 0x90 

return; 



0xC2 
0x04 
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Deploying Kernel-Mode Shellcode 



Then, the KMD launched the shellcode as a separate system thread 



void placeholder^ ) 
{ 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm _emit 0x90 

asm emit 0x90 



asm _emit 0x90 

return; 



0x8B 
0xFF 
0x55 
0x8B 
0xEC 



0xC2 
0x04 



PsCreateSystemThread ( ) 
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Deploying Kernel-Mode Shellcode 



This approach is far too COnspiCUOUS for a production rootkit 
But it's useful as a testing before you wade into deep water 
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Deploying Kernel-Mode Shellcode 

One alternative is to simply to load the shellcode into memory somewhere 
Specifically, a KMD could allocate storage from the non-paged pool 




Deploying Kernel-Mode Shellcode 



Then, it receives a shellcode payload via a call to DeviceIoControl( ) 
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Deploying Kernel-Mode Shellcode 



Finally, the KMD unloads, leaving the shellcode alone in memory 
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Executing Kernel-Mode Shellcode 



So, we have this inert blob of shellcode in memory 
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Executing Kernel-Mode Shellcode 



By itself, it really can't do that much 

■It's not a registered driver (e.g. no interface to the I/O Manager) 

■It's not a legitimate thread (e.g. not scheduled by the Windows kernel) 




Executing Kernel-Mode Shellcode 



It's swimming alone in memory, 

With no explicit connection to anything else 




Executing Kernel-Mode Shellcode 



Question: How do we get our shellcode to execute? 
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Executing Kernel-Mode Shellcode 

Answer: We need to intercept an existing path of execution 



ShellCode 



program control 
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Executing Kernel-Mode Shellcode 



Common misconception: 

Application and driver code are confined to their relative address spaces 




Executing Kernel-Mode Shellcode 




Execution paths are actually able to transition between the two modes 




Path of Execution r . 






l-Mode 


■ | ■ . ^.^^ 2O10 © 2010 Below Gotham Labs www.belowgotnam.com 
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Executing Kernel-Mode Shellcode 



There are a variety of different ways to sidetrack the EIP register: 



Method of Interception 


Level of Stealth 


Call Table Hooking 


Low: call tables are the epitome of static objects 


Detour Patching 


Moderate: depending on where and what you patch 


Callback Object Modification 


High: you're changing naturally dynamic objects 



A first cut could implement call table hooking, just to get things to work 
As you become more confident, you can adopt more advanced tactics 
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Heartbeat Generation 
■Alternatives 
■Compromises 



>n 
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Heartbeat Generation - Alternatives 

We can tunnel data from the targeted machine using different approaches 



Tactic 


Stealth 


Comments 


Use the Existing TCP/IP Stack 


Low 


Connection will be locally visible 


Roll Your Own TCP/IP Stack 


Moderate 


More work, but less conspicuous 


Talk Directly to the NIC 


High 


Hardware dependent 
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Heartbeat Generation - Alternatives 



Sidestepping the native TCP/IP stack offers better (local) concealment 



Tactic 


Stealth 


Comments 


Use the Existing TCP/IP Stack 


Low 


Connection will be locally visible 


Roll Your Own TCP/IP Stack 


Moderate 


More work, but less conspicuous 


Talk Directly to the NIC 


High 


Hardware dependent 



It also allows an intruder to bypass existing firewall rules 
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Heartbeat Generation - Alternatives 



Windows 
Forensic Analysis 



But, there are problems with this approach 



uuii mtJiku I 



HflHLHM UflHUtV 



''The absence of an artifact 

is in itself an artifact" 

-Harlan Carvey, Windows Forensic Analysis, p. 372 



black hat dc 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



Heartbeat Generation - Alternatives 



■NSM may be deployed, and will capture heartbeat traffic 

■The absence of a corresponding local connection is a telltale sign... 

■Hence, overtly hiding network connections may not be a good idea 




Yet More Engineering Concessions 



Again, must find a middle path 

On one hand, we wish to: 

■Be stealthy enough to evade a cursory inspection 
At the same time, we'd like to: 

■Not be so stealthy that we alert a forensic investigator 




black hat do 2010 



© 2010 Below Gotham Labs www.belowgotham.com 



-K B ^PilogJPd 

I 



One Solution: 

Hide in as large a crowd as possible 

Tunnel the heartbeat over a ubiquitous protocol 

This isn't perfect, as we'll see, but can be "good enough" 

(Joanna Rutkowska jokingly told me this was 1990s tech, and rightfully so*) 



LAN Machine 



Heartbeat 
Monitor 




we 



ill 

«8M 



Targeted Server 



Rootkit 



Commonplace Protocol 
(e.g. DNS, ICMP, HTTP, ... ) 



http://www.phrack.org/issues. html?issue=49&id=6 
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Countermeasures 



■The Rootkit Paradox 
■Detecting Local Modifications 
■NSM: The Final Frontier 
■Reality Sinks In 
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The Rootkit Paradox 



"All rootkits obey two basic principles: 
■They want to remain hidden 
■They need to run 

...If a deterministic process like the operating system can find the rootkit, 
then an examiner can find it as weir' 

-Jesse Kornblum, International Journal of Digital Evidence 
Fall 2006, Volume 5, Issue 1 

http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE2FC4D-0Bll-BC08-AD2958256F5E68Fl.pdf 
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The Rootkit Paradox 



Corollary: 

In addition to acquiring the attention of a processor 
Most rootkits Communicate with the outside 



(Otherwise implementing C2 could be problematic.) 
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Nevertheless... 

Just because rootkit code executes and communicates 
Doesn't necessarily mean it will be easy to identify 
(It just indicates that detection is possible) 
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It's possible to make a lot of money in the stock market 

(You just buy low and sell high) 
This doesn't mean that it's easy in practice 
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Detecting Local Modification 



Recent Solution: HookSafe 

■Employs a hypervisor to act as a watchdog 
■Monitors some 5,900 kernel hooks in a Linux guest OS 
■Relocates kernel hooks to a reserved region of memory 
■Control access to these kernel hooks using hardware features 

http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf 




HookSafe Protects Kernel 
from Root kits 

Nov 13, 2009 A research group in the 
computer sciences faculty at North 
Carolina State University has written a 
prototype to prevent rootkits from 
manipulating kernel object hooks to do 
their damage. 
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Detecting Local Modification 



Not all kernel ''hooks'' are equal 



Call Tables/Code « Static 




Detecting Local Modification 



Callbacks, in particular, are a nightmare 



I nltial izeObject Attrl butes (pAtkifout&s, 
CaltbzckNsme , AttHags, NULL, NULL); 



Drivef-^ailocaled 
memory and/or 
devioa extension 



Named 
CeJIbac* Object 



pAttribuies, FALSE, TRUE); 



PCALLBACK_OBJECT 

pCaliback 



ExRegisterCallback(pCaME?adf . 
pMyRoutine , pConfaxt) 



My Rout ine{ pCon text . arg 1 ■ arg2 ) 
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Detecting Local Modification 



PVOID ExRegisterCallback 
( 

IN PCALLBACK_OBDECT 
IN PCALLBACK_FUNCTION 
IN PVOID 

); 



CallbackObject , 
CallbackF unction , 
CallbackContext 



VOID ExllnregisterCallback 

( 

IN PVOID 

); 



CbRegistration 



■There can be an arbitrary number of routines registered with a callback object 

■Routines can be registered and unregistered dynamically 

■Callbacks are spread over the far reaches of kernel space 

■It's not always obvious what constitutes a malicious function pointer 
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Detecting Local Modification 



General Lesson: 

■Modify system components that are inherently dynamic 



Addendum: 



Watchdog code can be targeted 

Exhibit-A: the arms race to subvert PatchGuard 

http://www.uninformed.org/?v=all&a=38&t=sumry 

Recall what I said about dedicated protected regions 
This is akin to a police department that goes bad 



1 
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NSM: The Final Frontier 



Rootkits can "interfere" with local data collection 
■It's difficult to obtain an objective POV 
■A rootkit can obfuscate or eliminate evidence 



But it's a whole new ballgame on the network 
■It's much harder to conceal data 
■Responders can capture and analyze everything 
■Sometimes just seeing a connection is enough 
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Reality Sinks In 



Fact: IT Divisions operate on a budget 

■Overworked responders often don't have the time to unearth a rootkit 
■As a result, imperfect concealment is often sufficient 




"I have encountered plenty of roles where I am motivated and 

technically equipped, but without resources and power. 

I think that is the standard situation for incident responders" 

-Richard Bejtlich 

http://taosecurity.blogspot.com/2008/08/getting-job-done.html 
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Future Directions 



Heartbeat Mechanism 
Command & Control 
Runtime Deployment 
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Heartbeat Mechanism 

My heartbeat code introduces new packets into the network stream 

Under careful scrutiny, this could indicate that something is amiss 



Question(s) Answer RRs Authori tyRR S Additional RRs 



Size varies 



Size varies 




Name 
[ CO, OC ] 



Type 
[ 00, 01 ] 



Class 
[ 00, 01 ] 



TTL 

[ 00, 00, 0a, ed ] 



Data Length 
[ 00, 04 ] 



IP Address 
[ 81, 16, 68, 88 1 



Name Type Class 

[ 03, 77, 77, 77, 04, 63, 77, 72, 75, 03, 65, 64, 75, 00 ] [ 00, 01 ] [ 00, 01 ] 



ID 


flags 


questions 


Answers RRs 


Authority RRs 


Additional RRs 


[ 00, 02 ] 


[ 81, 80 ] 


[ 00, 01 ] 


[ 00, 01 ] 


[ 00, 00 ] 


[ 00, 00 ] 
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Heartbeat Mechanism 



One alternative is simply to embed data in existing network traffic 
In other words, establish a Passive Covert Channel (PCC) 




There's been some publicly available research done in this area 

■NUSHU http://wwwJnvisiblethings.org/papers/passive-covert-channels-linux.pd 
■Lath PS http://www.cl. cam. ac.uk/^sjmZiy/papers/ihOScoverttcp.pdf 
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Heartbeat Mechanism 



There are a couple of challenges that accompany the PCC strategy 



The necessity to intercept all traffic emitted by the compromised host 

■Could entail cracking a hardened gateway device _ 

■Involves extra time and resources ^rC mm m^m 



Data exfiltration can a slow and tedious process 
■Not a good scheme for looting a data warehouse 
■The longer you operate, the greater your risk 
■But, for smuggling out a list of password hashes... 
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Command & Control (C2) 



For a full-featured rootkit deployments, we wish to optimize ROI 



Rootkit logic implemented 
Using arbitrary bytecode 



Bytecode 



Virtual machine isolates 
The foibles of a given OS 



Bytecode APIs 
Bytecode Loader 



Runtime Environment 



Bytecode Engine 
Native Call Interface 



Shellcode VM 
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Command & Control (C2) 

This approach lends itself to loading bytecode dynamically 




Runtime Deployment 



Thus far, we've loaded the rootkit by means of a user-mode exploit 
A more direct alternative would be to leverage a Kernel-Mode Exploit 
(Though, this depends heavily on the targeted buggy driver being present) 




WCUf IHCOKIROL 



Trie Root Lit 

ABSBNAL 

Escape and Evasion in tie Dark Cornets at the System 



Source Code for this Presentation: 
http://www.belowgotham.com/BH-DC-2010.zip 



For Additional Information, See: 

The Rootkit Arsenal 

Jones & Bartlett Publishers 

1st edition (May 4, 2009), 908 pages 

ISBN-10: 1598220616 

ISBN-13: 978-1598220612 




Revetend Bill Blunden 
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Thank You For Your Time 
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One engineer's secret 
Is another's implementation 
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